File Manager plugin for SquirrelMail
====================================
Ver 1.4, 10/10/02

Original author: Paul Lesneiwski <pdontthink@angrynerds.com>

Endless thank-yous to Ryan <ryan@vendetta.com>, Kenneth G. 
Kirk <kkirk@christtheteacher.org>, and Rene
<rene.madsen@webscorpion.com> for ideas, improvements, and 
valuable testing!



Description
===========

This plugin allows designated users file management
access to a pre-defined portion of the host machine's
file system.  

Probably doesn't work in Windows hosting environment,
but if anyone's willing to serve as a test dummy, I'm 
sure we can fix that...



Features
========

  *  Only designated users can use the plugin
  *  Per-user base directory configuration
  *  Disallow browsing to symlinks per user
  *  Disallow CHMOD access per user
  *  File upload (includes overwrite warnings)
  *  User quota control
  *  File download
  *  Dynamically calculated file size upload limit
  *  Directory listing
  *  Change directories
  *  Directory creation
  *  File creation
  *  Change file permissions 
  *  Edit files
  *  Delete files
  *  Delete directories
  *  Move files/directories
  *  Rename files/directories
  *  Copy files/directories



Configuration
=============

The $systemUmask is currently only used when creating
new directories.  Change it with care!

The $defaultFolderPerms and $defaultFilePerms are the
permissions that will be used when creating new files
(upon upload) and directories; change as needed.

You can set the color in which symlinks are displayed
to those users who have persmission to see them by 
setting $symlinkColor as desired.  Set it to an empty
string to turn this off and display them in default
color.

The $fileEditStyle variable sets the display of file-
edit links:  If set to "edit link", the user must 
click on a link that follows the file name "edit" to
edit the file.  If set to "hyperlink", the user has
to click on the file name itself, which is now displayed
as a hyperlink (not to be confused with directories,
which are always displayed as hyperlinks).  Also, if 
you use "hyperlink" here, you can set the color thereof
by using the $fileLinkColor setting.

Only users that are entered into the config file can
access this plugin.  Please make sure that the username
entered in the config file precisely matches the user's
login ID.  (If you can't figure out your exact username,
then set $debug to 1 in setup.php and you will see your 
username appear in the links along the top of the main 
page, followed by the number 1 if it was found in the 
config file.  WARNING: This is only for testing; it 
allows any users access to the File Manager plugin and 
therefore should NOT be used in a production environment!)

The baseDir as defined for each user is the top-level
directory to which they will have access.  Be careful
with this setting.

The quota setting is used to limit the number of uploads
allowed and is calculated by adding up the size of all
files in the baseDir (and all subdirectories).  Set to
an empty string ('') to disable and allow unlimited
uploads.

The adminMail setting is the address which shows up as
a mailto: link (an address to which the user can send
help requests regarding problems) when the user encounters 
errors.

The allowLinks setting determines if symlinks will appear
on the user's screen.  If set to 1, the user will be able
to view and browse to symlinks.  Set to zero to disable.

The allowChmod setting determines if the user will be 
allowed to change file/folder permissions.  If set to 1,
the user will be allowed to do so.  Set to 0 (zero) to
disallow.

The $chmodOK setting indicates if chmod is available on 
the host system (and support for it is compiled in to 
php).  This should be disabled if no chmod commands should 
be run whatsoever (even when it is turned on, you can
disable access to chmod for individual users as per above).  
Most users of this plugin won't need to change this 
setting - those who do probably know who you are.



Security Notes
==============
Users will only be able to manipulate files which
php will have permission to change, which in most
cases means that they (and containing directory if it
is a file in question) will need to be owned by the
user defined by the web server.  In the case of apache,
you'll want to do this (replace "apache" with "nobody" 
or as appropriate in your case):

  $ chown -R apache:apache users/base/directory

The directory information passed to the client browser
is all relative; however, that is not to say that it 
might not be circumvented somehow.  Every request is
first checked against the user's base directory, and
no requests are acted upon above that directory, but
again, someone with more knowledge on security breaches
should review this code for potential holes.



Change Log
==========
  1.4 - Paul Lesneiwski <pdontthink@angrynerds.com>
   * Implemented quota checking
   * Added Revert button when editing a file (thanks 
     Hans Pech)
   * Removed old code that was accidentally placing
     temp files in the SM attachments directory

  1.3 - Paul Lesneiwski <pdontthink@angrynerds.com>
   * Implemented copy functionality
   * CHMOD now works on all selected items
   * Moved edit from the button row to be a link
   * Symlinks get some color!
   * BACK link at bottom of file list
   * File edit link can also by a hyperlink (w/custom
     color)
   * Fixed bug when downloading nonexistent files 
     (thanks to Ryan <ryan@vendetta.com>)
   * Added $chmodOK to allow sysadmins to turn off
     all chmod code in the entire plugin in one place

  1.2 - Paul Lesneiwski <pdontthink@angrynerds.com>
   * Added file download/view functionality (tons of
     thanks to Ryan <ryan@vendetta.com> for the ideas
     and help!)
   * Added file sorting 
   * Added CHMOD functionality (can turn on/off per user)
     (thanks to Kenneth G. Kirk <kkirk@christtheteacher.org> 
     for tips and testing this and many other functions)
   * Disallow user to view symlinks (can turn on/off
     per user)
   * Added move/rename functionality.  User must enter
     path manually (I'd like to provide a way for them
     to browse in a popup window or the likes and select
     the target by clicking on it).  Protection is 
     included to disallow moving anything above the
     user's base directory.
   * Made default permissions (and umask) used when creating 
     files and directories configurable.

  1.1 - Paul Lesneiwski <pdontthink@angrynerds.com>
   * Disallow users from attempting to edit directories
   * Potential security hole when uploading files fixed 
     (props to Ryan <ryan@vendetta.com>!!)
   * Protect files from being overwritten unless user
     checks a checkbox
   * Dynamic "smart" file name checks to avoid getting
     a message about duplicate file names AFTER waiting
     for a (possibly large) file to upload.

  1.0 - Paul Lesneiwski <pdontthink@angrynerds.com>
   * Initial release.



Future Work
===========

  *  Move files function -- need a clean way for
     user to select target directory.  Pop up a
     small window where the user can browse to
     the target?

  *  CHMOD functionality - perhaps it would be nice
     to give a graphical way to choose permissions
     instead of asking for the octal number!

  *  Multiple file upload

  *  Limit editing of files to text files only.
     (How?  Using file extensions is easy, but not 
     a definitive solution.)

  *  Allow limited access to file execution or 
     certain tools (untar/unzip, etc)??  From
     a security perspective, this may be disasterous.

  *  Allow more than one base directory per user

